b'U.S. Department of the Interior\nOffice of Inspector General\n\n\n\n\n           AUDIT REPORT\n\n\nFOLLOWUP OF RECOMMENDATIONS FOR\n IMPROVING GENERAL CONTROLS OVER\n AUTOMATED INFORMATION SYSTEMS,\n     BUREAU OF INDIAN AFFAIRS\n\n             REPORT NO. 99-I-454\n                 JULY 1999\n\x0c                                                                      A-I-N-BIA-002-98-M\n\n\n             United States Department of the Interior\n                           OFFICE OF INSPECTOR GENERAL\n                                   Washington. D.C. 20240\n\n                                                                  JUL 2 6 1999\n\n\n                                 AUDIT REPORT\nMemorandum\n\nTo:        Assistant Secretary for Indian Affairs\n\nFrom:      Robert J. Williams               & ~~uL*+Q\n           Assistant Inspector General for Audits\n\nSubject:   Audit Report on Followup ofRecommendations for Improving General Controls\n           Over Automated Information Systems, Bureau of Indian Affairs (No. 9 9 - I - 6 5 4 )\n\n\n\n                                INTRODUCTION\nThis report presents the results of our audit of the implementation of recommendations\ncontained in our April 1997 audit report titled \xe2\x80\x9cGeneral Controls Over Automated\nInformation Systems, Operations Service Center, Bureau of Indian Affairs\xe2\x80\x9d (No. 97-I-771)\nand our June 1998 audit report titled \xe2\x80\x9cFollowup of General Controls Over Automated\nInformation Systems, Operations Service Center, Bureau of Indian Affairs\xe2\x80\x9d (No. 98-I-483).\nThe objective of our audit was to determine whether the Bureau of Indian Affairs had\nsatisfactorily implemented the recommendations made in our prior audit reports and whether\nany new recommendations were warranted. This audit supports the Office of Inspector\nGeneral\xe2\x80\x99s opinion on the financial statements of the Bureau and the Office of the Special\nTrustee for American Indians by evaluating the reliability of the general controls over\ncomputer-generated data that support the Bureau\xe2\x80\x99s and the Office of the Special Trustee\xe2\x80\x99s\nfinancial statements.\n\nBACKGROUND\n\nThe Bureau\xe2\x80\x99s Office of Information Resources Management, through its Operations Service\nCenter, both located in Albuquerque, New Mexico, is responsible for administering the\ngeneral controls over the Bureau\xe2\x80\x99s and the Office of the Special Trustee\xe2\x80\x99s automated\ninformation systems. The Center provides computer services such as communications\nnetworks, software development, operations, and maintenance; systems recovery; and user\nsupport. The Center operates a Unisys server that is used to run the Office of the Special\nTrustee\xe2\x80\x99s applications, such as the Individual Indian Monies, and Bureau applications that\n\x0csupport Indian trust fund accounts. The Center also operated an IBM mainframe computer\nuntil December 1997, when the Bureau transferred its IBM operations and data processing\nfunctions to a host IBM mainframe computer owned by the U.S. Geological Survey\xe2\x80\x99s\nEnterprise Data Service Center, located in Reston, Virginia. The Geological Survey\xe2\x80\x99s IBM\ncomputer is used to run Bureau applications, such as the Land Records Information System\nand the National Irrigation Information Management System.\n\nSCOPE OF AUDIT\nOur audit included an evaluation of actions taken by Bureau management to implement the\n12 recommendations contained in our April 1997 audit report and the 8 recommendations\ncontained in our June 1998 audit report and a review of the general controls in place during\nfiscal year 1998. To accomplish our objective, we interviewed personnel at the Operations\nService Center of the Bureau\xe2\x80\x99s Office of Information Resources Management, contractor\npersonnel, and personnel at the Geological Survey\xe2\x80\x99s Enterprise Data Service Center. We\nreviewed the Bureau\xe2\x80\x99s policies and procedures as they related to the Bureau\xe2\x80\x99s computer\noperations, analyzed system security, and reviewed and tested implementation of the prior\naudit reports\xe2\x80\x99 recommendations. Because the highest priority ofcenter personnel at the time\nof our review was remedying applications for year 2000 (Y2K) compliancy, the availability\nof Center personnel was limited. Therefore, we performed limited testing of controls over\nthe Unisys server.\n\nThe audit was conducted in accordance with the \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued\nby the Comptroller General of the United States. Accordingly, we included such tests of\nrecords and other auditing procedures that were considered necessary under the\ncircumstances to accomplish our audit objective.\n\nAs part of our audit, we evaluated the Bureau\xe2\x80\x99s general controls over its automated\ninformation systems that could adversely affect the data processing environment. The\ncontrol weaknesses identified are discussed in the Results of Audit section. Because of\ninherent limitations in any system of internal controls, losses, noncompliance, or\nmisstatements may occur and not be detected. We also caution that projecting our\nevaluations to future periods is subject to the risk that controls or the degree of compliance\nwith the controls may diminish.\n\n                              RESULTS OF AUDIT\nWe concluded that the general controls over the Bureau of Indian Affairs automated\ninformation systems were ineffective in the areas of its security program, access controls,\nsoftware development and change controls, segregation of duties, and continuity of service.\nThe Bureau continued to have ineffective general controls because Bureau management had\nnot ensured that the recommendations contained in our April 1997 and June 1998 audit\nreports were implemented (see Appendices 1 and 2, respectively). Specifically, of the\n20 recommendations from our prior audit reports, the Bureau had implemented\n3 recommendations and had partially implemented 6 recommendations, but it had not\n\n                                              2\n\x0cimplemented the remaining 11 recommendations. Office of Management and Budget\nCircular A- 123, \xe2\x80\x9cManagement Accountability and Control,\xe2\x80\x9d states:\n\n        Resolution of Audit Findings and Other Deficiencies. Managers should\n        promptly evaluate and determine proper actions in response to known\n        deficiencies, reported audit and other findings, and related recommendations.\n        Managers should complete, within established time frames, all actions that\n        correct or otherwise resolve the appropriate matters brought to management\xe2\x80\x99s\n        attention. . . . Correcting deficiencies is an integral part of management\n        accountability and must be considered a priority by the agency. [Managers\n        are required to report in their annual integrity report to the President and the\n        Congress any significant deficiencies and related risks.]\n\nIn addition, Circular A-123 states that deficiencies which are significant should be\nconsidered a \xe2\x80\x9cmaterial weakness.\xe2\x80\x9d It f?u-ther states that deficiencies are significant when the\nmanagement controls (1) do not provide assurance that assets are safeguarded against waste,\nloss, unauthorized use, or misappropriation and (2) are not adequate to protect the integrity\nof Federal programs or to ensure that resources are used consistent with the agency\xe2\x80\x99s\nmission; laws and regulations are followed; and reliable and timely information is obtained,\nmaintained, reported, and used for decision making.\n\nAdditionally, publications of the Office of Management and Budget and the National\nInstitute of Standards and Technology require Federal agencies to establish and implement\nmanagement and internal controls to protect sensitive information in general support\xe2\x80\x99 and\nmajor application systems. Office ofManagement and Budget Circular A-130, Appendix III,\n\xe2\x80\x9cSecurity of Federal Automated Information Resources,\xe2\x80\x9d states:\n\n        Agencies shall implement and maintain a program to assure that adequate\n        security is provided for all agency information collected, processed,\n        transmitted, stored, or disseminated in general support systems and major\n        applications. Adequate security means security commensurate with the risk\n        and magnitude of the harm resulting from the loss, misuse, or unauthorized\n        access to or modification of information. This includes assuring that systems\n        and applications used by the agency operate effectively and provide\n        appropriate confidentiality, integrity, and availability, through the use ofcost-\n        effective management, personnel, operational, and technical controls.\n\nSince the recommendations from our prior audit reports have not been implemented, the\nBureau is at risk of loss, misuse, modification of, or unauthorized access to the data in its\nautomated information systems. Further, because the Bureau had not made significant\n\n\n\xe2\x80\x98Office of Management and Budget Circular A- 130 defines a general support system or system to mean \xe2\x80\x9can\ninterconnected set of information resources under the same direct management control which shares common\nfunctionality.    A system normally includes hardware, sofhvare, mformation, data, applications,\ncommunications and people.\xe2\x80\x9d\n\n                                                   3\n\x0cprogress in correcting deficiencies in the general controls over its automated systems, we\nbelieve that the Bureau is not in compliance with the Federal Financial Management\nImprovement Act and should report these deficiencies to the Department as a material\nweakness in the Bureau\xe2\x80\x99s annual assurance statement on management controls, which is\nrequired by the Federal Managers\xe2\x80\x99 Financial Integrity Act.\n\nThe impact on the Bureau\xe2\x80\x99s general controls as a result of the Bureau\xe2\x80\x99s lack of\nimplementation of the related recommendations is discussed in the sections that follow.\n\nSystem Security Program\n\nThe Bureau did not have an effective system security program that included an information\nresource management strategic plan, periodic risk assessments, periodic assessments of the\nsystem security program\xe2\x80\x99s effectiveness, and personnel security policies and procedures to\nensure that appropriate security clearances for personnel in sensitive or critical automated\ndata processing (ADP) positions were obtained. We made nine recommendations relating\nto this weakness in the prior reports (Nos. A.1, A.2, A.3, and B.l in our April 1997 report\n(see Appendix 1) and Nos. A.l, A-2, A.3, A.4, and A.5 in our June 1998 report (see\nAppendix 2)). During our current audit, we found that the Bureau had implemented one\nrecommendation and had partially implemented two recommendations, but it had not\nimplemented the remaining six recommendations. Therefore, the Bureau had little assurance\nthat its information resources were used and managed effectively to accomplish its mission\nor that established controls could be relied on to protect mission-based sensitive computer\nsystems and data.\n\nAccess Controls\n\nPhysical and logical access controls over the Bureau\xe2\x80\x99s automated information systems were\nineffective. Specifically, the Bureau did not classify its resources to determine the level of\nsecurity necessary, monitor visitor activities while at the Center, perform periodic reviews\nto ensure that users\xe2\x80\x99 access levels to the mainframe computers were appropriate, and change\npasswords to access the Unisys computer periodically. We made six recommendations\nrelating to this weakness in the prior reports (Nos. C. 1, D. 1, D.2, and E. 1 in our April 1997\nreport (see Appendix 1) and Nos. A.6 and A.7 in our June 1998 report (see Appendix 2)).\nDuring our current audit, we found that the Bureau had partially implemented two\nrecommendations but had not implemented four recommendations. Therefore, the Bureau\nhad little assurance that the most cost-effective access controls were in place to protect its\ncomputer resources; that the computer resources located in the Center\xe2\x80\x99s computer operations\nroom, such as the mainframe computer, local area network (LAN) equipment, and daily\nbackup tape libraries, were safeguarded from dust or fire hazards; that user access was\nassigned at the appropriate level; and that password controls were adequate.\n\n\n\n\n                                               4\n\x0cSoftware Development and Change Controls\n\nSoftware development and change controls were inadequate to ensure that the proper version\nof an application was used in production. For example, the programmers of the National\nIrrigation Information Management System and the Loan Management Accounting System\nnot only programmed the application but also tested, authorized, and approved the movement\nof the modified programs from test or development into production. In addition, requests\nto change or modify the applications were not fully documented. We made one\nrecommendation relating to this weakness in the prior report (No. G.l in our April 1997\nreport (see Appendix 1)). During our current audit, we found that the Bureau had not\nimplemented this recommendation. Therefore, the Bureau had little assurance that only\nauthorized programs and authorized modifications were implemented; that all programs and\nprogram modifications were properly authorized, tested, and approved; and that access to and\ndistribution of programs were carefully controlled.\n\nSegregation of Duties\n\nDuties were inadequately segregated for the systems support functions in the areas of system\ndesign, applications programming, systems programming, quality assurance/testing, library\nmanagement, change management, data control, data security, and data administration. We\nmade one recommendation relating to this weakness in the prior report (No. H. 1 in our April\n1997 report (see Appendix 1)). During our current audit, we found that the Bureau had\npartially implemented this recommendation because the IBM computer operations, such as\nsystem design and system programming, were transferred to the Geological Survey.\nHowever, the Bureau\xe2\x80\x99s separation of duties for system functions continued to be inadequate\nin the areas of applications programming, quality assurance/testing, library management,\nchange management, data security, and data administration. Therefore, the Bureau had little\nassurance that programmers were making only authorized program changes; that computer\nprogrammers were independently writing, testing, and approving program changes; or that\nerrors or illegal acts would be detected or detected timely.\n\nService Continuity\n\nThe Center did not have an effective means of recovering or of continuing computer\noperations in the event of system failure or disaster. Specifically, the Bureau\xe2\x80\x99s backup\ninformation, such as software applications and databases, was stored on-site in the Center\xe2\x80\x99s\ncomputer operations room rather than in an off-site storage facility. We made two\nrecommendations relating to this weakness in the prior reports (No. J. 1 in our April 1997\nreport (see Appendix 1) and No. A.8 in our June 1998 report (see Appendix 2)). During our\ncurrent review, we found that the Bureau had implemented one recommendation and had\npartially implemented the other recommendation. Therefore, there was no assurance that the\nCenter would be able to recover or resume critical computer operations in the event a system\nfailed or a disaster occurred.\n\n\n\n                                             5\n\x0cRecommendation\nWe recommend that the Assistant Secretary for Indian Affairs report the Bureau\xe2\x80\x99s ineffective\ngeneral controls over its automated information systems as a material weakness in the\nBureau\xe2\x80\x99s annual assurance statement, which is required by the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act.\n\nBureau of Indian Affairs Response and Office of Inspector General Reply\n\nIn the June 3, 1999, response (Appendix 3) to the draft report from the Assistant Secretary\nfor Indian Affairs, the Bureau concurred with the recommendation. Based on the response\nand subsequent discussions, we consider the recommendation resolved but not implemented.\nAccordingly, the recommendation will be forwarded to the Assistant Secretary for Policy,\nManagement and Budget for tracking of implementation (see Appendix 4).\n\nRegarding our April 1997 report, the Bureau, in its June 1999 response, included a revised\ncorrective action plan. Based on our current audit and the Bureau\xe2\x80\x99s response, we consider\n2 recommendations (Nos. H. 1 and I. 1) resolved and implemented and 10 recommendations\n(Nos. A. 1, A.2, A.3, B. 1, C. 1, D. 1, D.2, E. 1, G. 1, and J. 1) resolved but not implemented.\nAccordingly, the updated information on the prior recommendations will be forwarded to the\nAssistant Secretary for Policy, Management and Budget (see Appendix 5).\n\nRegarding our June 1998 report, the Bureau, in its June 1999 response, included a revised\ncorrective action plan. Based on our current audit and the Bureau\xe2\x80\x99s response, we consider\nthree recommendations (Nos. A.l, A.3, and A.8) resolved and implemented and the\nremaining five recommendations (Nos. A.2, A.4, A.5, A.6, and A.7)\xe2\x80\x98resolved but not\nimplemented. Accordingly, the updated information on the prior recommendations will be\nforwarded to the Assistant Secretary for Policy, Management and Budget (see Appendix 6).\n\nSince the recommendation contained in this report is considered resolved, no further\nresponse to the Office of Inspector General is required (see Appendix 4).\n\nThe legislation, as amended, creating the Office of Inspector General requires semiannual\nreporting to the Congress on all audit reports issued, actions taken to implement audit\nrecommendations, and identification of each significant recommendation on which corrective\naction has not been taken.\n\nWe appreciate the assistance of Bureau personnel in the conduct of our audit.\n\n\n\n\n                                               6\n\x0c                                                                                 APPENDIX 1\n                                                                                   Page 1 of 7\n\n    SUMMARY OF RECOMMENDATIONS AND CORRECTIVE\n              ACTIONS FOR AUDIT REPORT\n   \xe2\x80\x9cGENERAL CONTROLS OVER AUTOMATED INFORMATION\n         SYSTEMS, OPERATIONS SERVICE CENTER,\n         BUREAU OF INDIAN AFFAIRS\xe2\x80\x9d (NO. 97-I-771)\n\n                                                        Status of Recommendations and\n            Recommendations                                    Corrective Actions\n\nA. 1. The information technology security           Partially implemented. The Bureau of\nfunction is elevated organizationally to at         Indian Affairs stated that the Information\nleast report directly to the Director, Office       Technology (IT) Security Manager had\nof Information Resources Management; is             reported to the Director, Office of\nformally provided with authority to                 Information Resources Management, since\nimplement and enforce a Bureauwide                  October 1997 and that the position had\nsystem security program; and is provided            Bureauwide authority for the information\nstaff to perform the required duties, such as       technology security program. The Bureau\nproviding computer security awareness               also stated that sufficient staff would be\ntraining and performing periodic risk               available to manage security requirements\nassessments.                                        once the transfer to the host IBM computer\n                                                    at the U.S. Geological Survey had taken\n                                                    place. We found that the Security Manager\n                                                    reported to the Director, Office of\n                                                    Information Resources Management;\n                                                    however, we did not find that the Security\n                                                    Manager had acted on the authority to\n                                                    implement a Bureauwide security plan.\n                                                    Although authority is implied in the\n                                                    position description, the Bureau had not\n                                                    ensured that the Security Manager\xe2\x80\x99s\n                                                    authority was recomized by all Bureau\n                                                    personnel. In addition, the Security\n                                                    Manager is physically located at the\n                                                    Operations Service Center and has focused\n                                                    on Center security and user access to the\n                                                    IBM mainframe and Unisys server rather\n                                                    than on Bureauwide system security issues.\n                                                    We also found that additional staff had not\n                                                    been assigned to assist in providing\n                                                    security awareness training and performing\n                                                    risk assessments when the IBM operations\n\n\n                                                7\n\x0c                                                                             APPENDlX 1\n                                                                               Page 2 of 7\n\n                                                    Status of Recommendations and\n           Recommendations                                 Corrective Actions\n\n\n                                               were transferred to the host computer at the\n                                               Geological Survey.\n\nA.2 A system security program is           Not implemented. The Bureau stated that it\ndeveloped and documented which includes had entered into an agreement with the\nthe information required by the Computer   Geological Survey\xe2\x80\x99s Washington\nSecurity Act of 1987 and Office of         Administrative Service Center - West to\nManagement and Budget Circular A-l 30,     develop, by July 3 1, 1998, a comprehensive\nAppendix III, \xe2\x80\x9cSecurity of Federal          security plan. The \xe2\x80\x9cBureau of Indian\nAutomated Information Resources,\xe2\x80\x9d and       Affairs Logical Security Internal\npolicies and procedures are implemented to Procedures Manual\xe2\x80\x9d was delivered to the\nkeep the system security program current.  Bureau during our site visit in September\n                                            1998. However, the plan was not Bureau\n                                           specific but rather an overview of the\n                                           Geological Survey\xe2\x80\x99s security for its IBM\n                                           computer located in Reston, Virginia.\n                                           Additionally, we found that policies and\n                                           procedures were not developed and\n                                           implemented to keep the system security\n                                           program current.\n\nA.3. The Bureau\xe2\x80\x99s security personnel           Kot implemented. The Bureau stated that\nperform risk assessments of the Bureau\xe2\x80\x99s       its information systems security staff would\nautomated information systems                  oversee this effort beginning in fiscal year\nenvironment and, as appropriate, provide       1999. However, we found that\nassurance that the necessary changes are       management had not developed a security\nimplemented to manage the risks                program; therefore, plans had not been\nidentified.                                    developed to begin risk assessments in\n                                               fiscal year 1999.\n\n\n\n\n                                           8\n\x0c                                                                               APPENDIX 1\n                                                                                 Page 3 of 7\n\n                                                     Status of Recommendations and\n           Recommendations                                  Corrective Actions\n\n\nB. 1. Ensure that personnel security            Partially implemented. The Bureau stated\npolicies and procedures are developed,          that it had reorganized its position\nimplemented, and enforced, including            sensitivity program andthat, as part of the\nthose for obtaining appropriate security        effort, it had begun to review all sensitive\nclearances for personnel in sensitive or        positions. We found that personnel policies\ncritical automated data processing (ADP)        and procedures had not been developed or\npositions and for informing the security        implemented to ensure that appropriate\nstaff, in writing, whenever employees who       security clearances for personnel in\nare system users terminate their                sensitive or critical ADP positions were\nemployment or are transferred.                  obtained or that security staff were notified\n                                                in writing when employees terminated their\n                                                employment or were transferred. However,\n                                                during our site visit, the Security Manager\n                                                was working with the Bureau\xe2\x80\x99s Central\n                                                Office in reviewing the sensitivity levels of\n                                                personnel assigned to the Operations\n                                                Service Center. In addition, the Bureau\n                                                stated that the Security Manager would\n                                                ensure that the employee termination report\n                                                was received and reconciled with system\n                                                users. During our site visit, Bureau\n                                                management had not agreed on how the\n                                                termination report would be provided to the\n                                                Security Manager.\n\n\n\n\n                                            9\n\x0c                                                                            APPENDIX 1\n                                                                              Page 4 of 7\n\n                                                   Status of Recommendations and\n           Recommendations                                Corrective Actions\n\n\nC. 1. Develop and implement policies to       Not implemented. The Bureau stated that\nclassify the Bureau\xe2\x80\x99s computer resources      risk assessments and classifications of its\nin accordance with the results of periodic    automated information systems\nrisk assessments and guidance contained in    environment would be performed\nOffice of Management and Budget               beginning in fiscal year 1999 in accordance\nCircular A-130, Appendix III.                 with its security program plan. According\n                                              to the Bureau, assessments would be\n                                              performed by teams consisting of personnel\n                                              from the Bureau\xe2\x80\x99s Office of Information\n                                              Resources Management and program\n                                              offices. We found that policies which\n                                              would ensure that computer resources were\n                                              classified in accordance with\n                                              Circular A- 130 had not been developed or\n                                              implemented.\n\nD. 1. Ensure that sufficient staff are        Not implemented. The Bureau stated that\nprovided to adequately monitor all visitor    the recommendation had been implemented\nactivities.                                   to the extent possible given the Bureau\xe2\x80\x99s\n                                              available resources. The Bureau further\n                                              stated that the organizational element\n                                              receiving the visitors would monitor visitor\n                                              activities. We found, during our site visit,\n                                              that Center management did not\n                                              consistently monitor visitors\xe2\x80\x99 activities.\n\n\n\n\n                                             10\n\x0c                                                                                  APPENDIX 1\n                                                                                    Page 5 of 7\n\n                                                         Status of Recommendations and\n            Recommendations                                     Corrective Actions\n\n\nD.2. Ensure that funding is provided for            Partially implemented. The Bureau stated\nadequate maintenance of the computer                that it had provided funds to the Center for\noperations room, such as providing daily            full-time housekeeping and maintenance\nhousekeeping services, or that fire-                services for the computer room beginning\nproducing equipment and supplies are                in fiscal year 1998. We found that the\nremoved from the computer room.                     Bureau had provided for daily\n                                                    housekeeping services and that the fire-\n                                                    producing equipment was no longer in use.\n                                                    Although housekeeping services were\n                                                    being performed and the fire-producing\n                                                    equipment identified in the prior report was\n                                                    no longer in use, the Center was using the\n                                                    computer operations room as a storage\n                                                    facility, which increased the risk of\n                                                    equipment failure and other fire hazards.\n                                                    For example, cardboard boxes of old\n                                                    records and old computer equipment were\n                                                    stored in the computer operations room.\n\nE. 1. Ensure that policies are developed            Not implemented. The Bureau did not\nand implemented which match personnel               address this recommendation. We found\ntiles with system users periodically, that          that new or revised policies had not been\nuser identifications (IDS) are deleted from         developed which would match personnel\nthe system for users whose employment               tiles with system users periodically, delete\nhad been terminated, and that verification          user IDS from the system for users whose\nand approval are obtained from user                 employment had been terminated, and\nsupervisors and application owners or               ensure that verifications and approvals were\nmanagers that the levels of access are              obtained from users\xe2\x80\x99 supervisors and\nappropriate.                                        application owners that the users\xe2\x80\x99 levels of\n                                                    access were appropriate.\n\nF. 1. Ensure that a higher priority is given        Resolved. In the June 1998 audit report,\nto moving the applications that reside on           we recognized that the recommendation\nthe Unisys mainframe to the IBM                     was no longer applicable because the\nmainframe.                                          Bureau had determined that the Unisys\n                                                    applications could not be moved to the\n                                                    IBM mainframe.\n\n\n\n                                               11\n\x0c                                                                              APPENDIX 1\n                                                                                Page 6 of 7\n\n                                                     Status of Recommendations and\n            Recommendations                                 Corrective Actions\n\n\nG. 1. Ensure that policies and procedures       Not implemented. The Bureau stated that\nare developed and implemented which             the Applications Support Branch would\nclearly identify the individuals responsible    develop the policies and procedures.\nand accountable for application                 However, we found that the Branch\xe2\x80\x99s\ndevelopment and changes.                        highest priority was the Bureau\xe2\x80\x99s Y2K\n                                                effort; thus, the policies and procedures\n                                                had not been developed.\n\nH. 1. Ensure that staffing at the Center is     Implemented. The Bureau did not address\nevaluated and adjusted so that duties for       this recommendation in its responses to\ncritical system support functions are           our prior audit reports; however, for the\nadequately segregated and fully utilized.       IBM mainframe applications, the\n                                                recommendation was resolved with the\n                                                transfer of the Bureau\xe2\x80\x99s mainframe\n                                                operations to the Geological Survey\xe2\x80\x99s host\n                                                computer. We could not verify whether the\n                                                critical system support functions for the\n                                                Unisys server were adjusted during our\n                                                fieldwork because Center personnel were\n                                                involved with the Bureau\xe2\x80\x99s Y2K testing\n                                                and were therefore not available. Based on\n                                                the Bureau\xe2\x80\x99s June 3, 1999, response to the\n                                                draft report, we consider the\n                                                recommendation implemented because the\n                                                Bureau stated that it is examining\n                                                organizational changes and personnel\n                                                assignments to ensure that duties are\n                                                separated. The Bureau further stated that it\n                                                will continue to monitor its progress in\n                                                separating critical system support\n                                                functions.\n\n\n\n\n                                               12\n\x0c                                                                                APPENDIX 1\n                                                                                  Page 7 of 7\n\n                                                       Status of Recommendations and\n            Recommendations                                   Corrective Actions\n\n\nI. 1. Ensure that access and activities of the    Implemented. The Bureau transferred its\nCenter\xe2\x80\x99s system programmers are                   IBM computer operations to the Geological\ncontrolled and monitored by security staff        Survey\xe2\x80\x99s host computer. After the transfer,\nand that RACF controls are established to         the Geological Survey established the\nprotect system resources.                         appropriate RACF controls that would\n                                                  protect the system resources, which\n                                                  included denying the Bureau\xe2\x80\x99s system\n                                                  programmer access to the IBM computer\xe2\x80\x99s\n                                                  system controls.\n\nJ. 1. Ensure that a contingency plan is           Partially implemented. The Bureau stated\ndeveloped and tested and that funding is          that it had a disaster recovery contract\nprovided for acquiring a secure off-site          which fully tested and certified the Unisys-\nstorage facility.                                 hosted applications. However, although a\n                                                  contingency plan had not been developed,\n                                                  the Bureau had contracted for a backup site\n                                                  for the Unisys server in the event of a\n                                                  disaster and had tested the functionality of\n                                                  the backup site. The Geological Survey is\n                                                  responsible for contingency planning for\n                                                  the Bureau\xe2\x80\x99s IBM applications that reside\n                                                  on the Geological Survey\xe2\x80\x99s host computer.\n                                                  Additionally, although the Bureau had\n                                                  provided funding for off-site storage of its\n                                                  backup media, the Center had not used the\n                                                  site. The Bureau\xe2\x80\x99s backup media were\n                                                  stored on-site in the Center\xe2\x80\x99s computer\n                                                  operations room.\n\n\n\n\n                                                 13\n\x0c                                                                                   APPENDIX 2\n                                                                                     Page 1 of 4\n\n    SUMMARY OF RECOMMENDATIONS AND CORRECTIVE\n             ACTIONS FOR AUDIT REPORT\n  \xe2\x80\x9cFOLLOWUP OF GENERAL CONTROLS OVER AUTOMATED\n  INFORMATION SYSTEMS, OPERATIONS SERVICE CENTER,\n        BUREAU OF INDIAN AFFAIRS\xe2\x80\x9d (NO. 98-I-483)\n\n                                                         Status of Recommendations and\n            Recommendations                                     Corrective Actions\n\nA. 1. Establish as a high priority the use of        Implemented. The Bureau of Indian\nthe Geological Survey\xe2\x80\x99s host computer\xe2\x80\x99s              Affairs transferred its IBM mainframe\noperating, security, and automated job               operations to the Geological Survey\xe2\x80\x99s host\nscheduling systems.                                  computer in December 1997. We reported\n                                                     this recommendation as implemented in\n                                                     our June 1998 audit report.\n\nA.2. Develop and approve an Office of                Not implemented. The Bureau stated that\nInformation Resources Management                     a strategic plan for the Office of\nstrategic plan that provides direction to and        Information Resources Management was\ndefines the functions of the Operations              being developed and finalized under a\nService Center.                                      contract. The strategic plan was to have\n                                                     been completed by September 30, 1998.\n                                                     We found that the contract, dated March 9,\n                                                     1998, was to support the Bureau\xe2\x80\x99s overall\n                                                     Information Resources Management\n                                                     strategic and tactical plans. However,\n                                                     contract performance was based on task\n                                                     orders, and at the time of our site visit, a\n                                                     task order had not been issued to develop\n                                                     a strategic plan.\n\n\n\n\n                                                14\n\x0c                                                                              APPENDIX 2\n                                                                                Page 2 of 4\n\n                                                      Status of Recommendations and\n           Recommendations                                   Corrective Actions\n\n\nA.3. Hold the Information Technology             Implemented. The Bureau stated that the\n(IT) Security Manager accountable for            IT Security Manager would be held\nperforming the position responsibilities.        accountable through the performance\n                                                 appraisal process. However, we found that\n                                                 the IT Security Manager had not been held\n                                                 accountable for not implementing a\n                                                 Bureauwide security program, providing\n                                                 security awareness training, or performing\n                                                 risk assessments. Additionally, the IT\n                                                 Security Manager performed the functions\n                                                 of a local area network (LAN)\n                                                 administrator, which was not part of the IT\n                                                 Security Manager\xe2\x80\x99s duties. Based on the\n                                                 Bureau\xe2\x80\x99s June 3, 1999, response to the\n                                                 draft report, we considered the\n                                                 recommendation implemented because the\n                                                 Bureau stated in its response that the IT\n                                                 Security Manager will be evaluated based\n                                                 on his performance standards and position\n                                                 description. The response further stated\n                                                 that the Division of Information Resources\n                                                 Management is in the process of\n                                                 \xe2\x80\x9caugmenting its IT security staff.\xe2\x80\x9d\n\n\n\n\n                                            15\n\x0c                                                                                  APPENDIX 2\n                                                                                    Page 3 of 4\n\n                                                        Status of Recommendations and\n            Recommendations                                    Corrective Actions\n\nA.4. Periodically perform an evaluation of          Not implemented. The Bureau stated that\nthe system security program\xe2\x80\x99s                       it had entered into an agreement with the\neffectiveness and include any resultant             Washington Administrative Service\ncorrective actions in future Bureau security        Center - West to develop a comprehensive\nplans.                                              computer security plan. The plan\xe2\x80\x99s\n                                                    operating procedures and the management\n                                                    control reviews required by the\n                                                    Department of the Interior\xe2\x80\x99s Office of\n                                                    Information Resources Management would\n                                                    ensure that the plan would be reviewed\n                                                    periodically and updated. The plan was to\n                                                    have been developed by July 3 1, 1998.\n                                                    The Center received the \xe2\x80\x9cBureau of Indian\n                                                    Affairs Logical Security Internal\n                                                    Procedures Manual\xe2\x80\x9d in September 1998.\n                                                    We found that the \xe2\x80\x9cManual\xe2\x80\x9d was not\n                                                    Bureau specific but generally related to the\n                                                    Geological Survey and did not provide\n                                                    procedures for performing evaluations of\n                                                    the system security program. In addition,\n                                                    an evaluation of the system security\n                                                    program\xe2\x80\x99s effectiveness had not been\n                                                    performed in fiscal years 1996, 1997, or\n                                                    1998.\n\nAS. Redetermine, based on the Office of             Not implemented. The Bureau stated that\nInformation Resources Management\xe2\x80\x99s                  risk assessments and classifications of its\nstrategic plan, when the Bureau can begin           automated information systems\nperforming risk assessments and                     environment would be performed\nclassifying its resources. Also, personnel          beginning in fiscal year 1999 in accordance\nwho will be responsible for the risk                with its security program plan. However,\nassessments and resource classifications            the Bureau had not developed a security\nshould be identified.                               program; therefore, plans had not been\n                                                    developed to begin risk assessments in\n                                                    fiscal year 1999, and personnel responsible\n                                                    for the risk assessments and resource\n                                                    classifications had not been identified.\n\n\n\n\n                                               16\n\x0c                                                                                 APPENDIX 2\n                                                                                   Page 4 of 4\n\n                                                        Status of Recommendations and\n            Recommendations                                    Corrective Actions\n\nA.6 Obtain security clearances for ADP              Not implemented. The Bureau had begun\npersonnel who are not assigned to the               to review and reassign security clearances\nCenter that are commensurate with their             for ADP personnel as a result of a\npositions.                                          Bureauwide initiative started in February\n                                                    1998. During our site visit, the Security\n                                                    Manager was reviewing security clearances\n                                                    for Center personnel but had not begun to\n                                                    review clearances for personnel outside the\n                                                    Center.\n\nA.7. Require Bureau staff to review and             Partially implemented. Under the direction\nvalidate the appropriateness of users\xe2\x80\x99              of personnel of the Geological Survey\xe2\x80\x99s\nlevels of access to the Bureau\xe2\x80\x99s IBM                Enterprise Data Service Center, the\napplications. If the users\xe2\x80\x99 levels of access        Security Manager had begun to review the\nare not reviewed and validated by Bureau            appropriateness of users\xe2\x80\x99 levels of access\npersonnel, the Bureau should modify its             to the Bureau\xe2\x80\x99s IBM applications.\nagreement with the Geological Survey to             Although the Bureau had begun\ninclude the requirements that access                negotiations with the Geological Survey to\nreviews and verifications should be                 ensure that users\xe2\x80\x99 levels of access were\nperformed for the IBM applications by the           reviewed jointly by the Bureau and the\nGeological Survey.                                  Geological Survey, the Bureau had not\n                                                    finalized the negotiations by signing the\n                                                    agreement.\n\nA.8. Remove all safety hazards from the             Implemented. The Bureau stated that\ncomputer operations room.                           safety hazards had been removed. During\n                                                    our site visit, we found that the safety\n                                                    hazards had been removed.\n\n\n\n\n                                               17\n\x0c                                                                                           APPENDIX 3\n                                                                                           Page 1 of 7\n\n\n\n                   United States Department of the Interior\n                                    OFFICE OF THE SECRETARY\n                                     WASHINGTON, D.C. 20240\n\n                                        JUN 3 1999\nMemorandum\n\nTo:        Assistant Inspector General for Audits\n\nFrom:      Assistant Secretary - Indian *fl\n\nSubject:   Draft Audit Report on Follo              e ations for Improving General Controls\n           Over Automated Information Systems, Bureau of Indian Affairs (Assignment No. A-\n           IN-BIA-002-98-M)\n\nThe subject audit report addresses the Bureau of Indian Affairs\xe2\x80\x99 implementation of recommendations\nmade by the Office of Inspector General (OIG) in April 1977, and June 1998, audit reports on the\nOperation Service Center\xe2\x80\x99s general controls over automated information systems (Report Nos. 97-1-\n771 and 98-I-483, respectively). The audit found that of the 20 recommendations contained in the\nprior reports, the Bureau had implemented three recommendations, had partially implemented six\nrecommendations, and had not implemented 11 recommendations. The most recent audit also\nincludes one new recommendation.\n\nThe Bureau generally agrees with the findings of the followup audit. The revised corrective action\nplan (Attachment) provides information on the additional actions taken by the Bureau since the\ncompletion of the audit fieldwork and identifies revised target dates and officials responsible for\nimplementing open recommendations.\n\nRecommendation. [The Office of Inspector General] recommend[s] that the Assistant Secretary for\nIndian Affairs report the Bureau\xe2\x80\x99s ineffective general controls over its automated information\nsystems as a material weakness in the\xe2\x80\x99Bureau\xe2\x80\x99s annual assurance statement, which is required by the\nFederal Managers\xe2\x80\x99 Financial Integrity Act.\n\nBureau Response. The Bureau concurs. The Bureau recognizes the security risks and is taking\nsteps to correct these areas as we work to implement the recommendations made in the prior reports.\nThe audit of the Center\xe2\x80\x99s general controls is conducted in conjunction with the OIG\xe2\x80\x99s audits of the\nfinancial statements of the Office of the Special Trustee for American Indians and of the Bureau of\nIndian Affairs and is used to evaluate the reliability of the general controls over computer-generated\ndata that support these statements. As part of the corrective action, the Bureau is replacing the older\napplications systems with modem technology, which will enable more effective general controls over\nthe automated systems.\n\nThe Trust Fund Accounting System (TFAS) that is being implemented by the Office of Trust Funds\nManagement (OTFM) will replace the existing Individual Indian Monies system. Similarly, the\n\n\n\n                                                   18\n\x0c                                                                              f-iPPENDIX 3\n                                                                              Page 2 of 7\n\n\nBureau is implementing a Trust Asset and Accounting Management System (TAAMS) to replace\nthe Land Titles and Records System and the Integrated Records Management System that comprise\nthe Bureau\xe2\x80\x99s main Indian trust systems. Both systems will be operated and maintained by\ncontractors. With the deployment of these two systems, the ability to prepare accurate and timely\nfinancial statements will be greatly enhanced.\n\nAttachment\n\x0c                                                                                        APPENDIX 3\n                                                                                        Page 3 of 7\n\n\n\n                                                                                        Attachment\n\n\n\n                        STATUS OF CORRECTIVE ACTIONS FOR\n                        UNIMPLEMENTED RECOMMENDATIONS\n\n\n OIG 97-I-771          General Controls Over Automated Information Systems, Operations\n                       Service Center, BIA\n                       [Issued: April 19971\n\nRecommendation A. 1. The information technology security function is elevated organizationally\nto at least report to the Director, Office of Information Resources Management; is formally provided\nwith the authority to implement and enforce a Bureauwide system security program; and is provided\nstaff to perform the required duties, such as providing computer security awareness training and\nperforming periodic risk assessments.\n\nStatus. The revised Departmental Manual chapter on BIA organization (130 DM 4) recognizes the\nDi\\,ision of Information Resources Management (IRM) as providing Bureauwide information\ntechnology security leadership. Indian Affairs Manual (IAM) releases on information technology\nwill also emphasize this point. To this end, IRM has evaluated the security plan for the Offtce of\nLaw Enforcement. Regarding security awareness training, the Bureau is working with the\nDepartmental information resources management staffto identify and develop LAN and Web based\nsecurity awareness computer based training.\n\n          Revised Target Date:               1213 l/99\n          Responsible Official:              IT Security Manager\n\nRecommendation A.2. Develop and document a system security program which includes the\ninformation required by the Computer Security Act of 1987 and Office of Management and Budget\nCircular A-l 30, Appendix III, and implement policies and procedures to keep the system security\nplan current.\n\nStatus The Bureau of Indian Affairs Logical Security Internal Procedures Manual provides a\n-.\nstarting point for the development of a Bureauwide security plan. The security plan and the IAM\nissuances will provide policies and procedures for keeping the system security program current.\n\n          Revised Target Date:               I 2/3 I/99\n          Responsible Official:              IT Security Manager\n\nRecommendation A.3. The Bureau\xe2\x80\x99s security personnel should perform risk assessments of the\nBureau\xe2\x80\x99s automated information systems environment and, as appropriate, provide assurance that\nthe necessary changes are implemented to manage the risks identified.\n\n\n\n\n                                               20\n\x0c                                                                                           APPENDIX 3\n                                                                                           Page 4 of 7\n\n\n\nStatus It is still the Bureau\xe2\x80\x99s plan to initiate risk assessment in fiscal year 1999. The information\n-*\nsecurity system staff will oversee the performance of the risk assessments which will be conducted\nin accordance with the guidance provided by OMB Circular A- 130, Appendix III, and by the General\nAccounting Office publication entitled \xe2\x80\x9cInformation Security Management.\xe2\x80\x9d\n           Revised Target Date:                1X 1 J99\n           Responsible Official:               IT Security Manager\n\nRecommendation B.l. Ensure that personnel security policies and procedures are developed,\nimplemented, and enforced, including those for obtaining appropriate security clearances for\npersonnel in sensitive or critical automated data processing positions and for informing the security\nstaff, in writing, whenever employees who are system users terminate their employment or are\ntransferred.\n\nAs\nStatus.\n    part of a Bureauwide effort to address deficiencies in its position sensitivity and security\nprogram, all Bureau positions were reviewed and classified consistently. The Center\xe2\x80\x99s IT security\nstaff is currently working on a project to bring those background investigations current with due\nconsideration for the levels of investigation appropriate for personnel in sensitive or critical\ninformation technology positions. Policies and procedures have been drafted, and employee\ncheckout procedures were revised to require notification of the IT security manager as part of the\nemployee checkout process.\n\n           Revised Target Date:               1 O/3 1 I99\n           Responsible Official:              Bureau Security Manager\n\nRecommendation C. 1. Develop and implement policies to classify the Bureau\xe2\x80\x99s computer resources\nin accordance with the results of periodic risk assessments and guidance contained in Office of\nManagement and Budget Circular A- 130, Appendix III.\n\nStatus It is still the Bureau\xe2\x80\x99s plan to begin the classification of its automated information systems\n-*\nin fiscal year 1999. The reviews will be done by IRM staff with the assistance of program personnel.\nThis will be performed in conjunction with Recommendation A.3.\n\n           Revised Target Date:               12/31/99\n           Responsible Official               IT Security Manager\n\nRecommendation D. 1. Sufficient staff are provided to adequately monitor all visitor activities.\n\nStatus Formal procedures have been developed and issued by the Director, IRM to control visitor\n-*\naccess into the Center. In addition, the Bureau has awarded a contract for significant improvements\nin access control. The improvements will include automated door control and closed circuit\ntelevision subsystems.\n\n          Revised Target Date:                0813 l/99\n          Responsible Official                IT Security Manager\n\n\n\n                                                 21\n\x0c                                                                                          APPENDIX 3\n                                                                                          Page 5 of 7\n\n\n\nRecommendation D-2. Provide funding for adequate maintenance of the computer operating room,\nsuch as providing daily housekeeping services, or remove fire-producing equipment and supplies\nfrom the computer room.\n\nStatus The IBM 3090 and Unisys Al7 computers have been removed. The Center\xe2\x80\x99s daily\n-*\nhousekeeping has been improved and the staff are no longer storing old computer equipment, records\nand supplies in the computer operations room. The Center has reconfigured the space to provide\nadditional operations and storage space. This effort includes separating the area devoted to servers\nand tape readers from the area used for printing.\n\n           Revised Target Date:                08/01/99\n           Responsible Official                IT Security Manager\n\nRecommendation E. 1. Ensure that policies are developed and implemented which match personnel\nfiles with system users periodically, that user IDS are deleted from the system for users whose\nemployment has been terminated, and that verification and approval are obtained from user\nsupervisors and application owners or managers that the levels of access are appropriate.\n\nStatus The IRM is in the process of obtaining from system owners lists of individuals who have\n-.\nbeen authorized access to the respective systems. Those individuals who have not been given access\nhave had their user identifications deleted from the systems. To date, IRM has completed this\nprocess for the Individual Indian Monies system and the Social Services Automated System. The\nIRM will begin reviewing the user identifications for the Land Records Information System. All\nother systems will be reviewed. The IRM is also in the process of comparing user identification\nlists with current employee lists to eliminate those individuals no longer employed by the Bureau.\n\n           Revised Target Date:                1213 l/99\n           Responsible Official                IT Security Manager\n\nRecommendation G. 1. Ensure that policies and procedures are developed and implemented which\nclearly identify the individuals responsible and accountable for application development and\nchanges.\n\nThe\nStatus.\n      Applications Support Branch is responsible for developing and implementing standards,\npolicies and procedures to ensure full accountability for all application system change management.\nA configuration management plan was developed for Y2K and will be expanded to cover all Bureau\nIT development and maintenance.\n\n          Revised Target Date:                09/30/99\n          Responsible Official:               Chief, Applications Support Branch\n\nRecommendation H. 1. Ensure that staffing at the Center is evaluated and adjusted so that the duties\nfor critical system support functions are adequately segregated and fully utilized.\n\n\n\n\n                                                22\n\x0c                                                                                         APPENDIX 3\n                                                                                         Page 6 of 7\n\n\nThe\nStatus.\n     Bureau recognizes that the required segregation of duties is a continuing challenge in\nan environment of reduced staffing levels and will continue to explore ways of ensuring separation\nof duties through its organizational changes and its assignments. For example, the Application\nSupport Branch which performs and monitors system development is distinct from the security\nfunction which grants access to systems. Further, the individuals who control the data both by\noriginal data entry and data update are distinct from the Application Support Branch. The Bureau\nwill continue to monitor the progress in this area.\n\nRecommendation J. 1. Ensure that a contingency plan is developed and tested and that funding is\nprovided for acquiring a secure off-site storage facility.\n\nStatus The Center is storing its backup media at the off-site storage facility. The USGS has a\n-*\ndisaster recovery plan for the IBM mainframe and is responsible for implementing and testing the\nplan. The Center has a disaster recovery plan for the Unisys system and had scheduled a test of the\nplan on May 3 - 4, 1999. Unfortunately, the test was postponed by the contractor. The Center is in\nthe process of rescheduling a new test date on the plan. In addition, the Bureau is developing a\nContinuity of Operations plan for the Center.\n\n           Revised Target Date:               06/30/99\n           Responsible Official:              IT Security Manager\n\n\nOIG 98-I-483           Followup of General Controls Over Automated Information Systems,\n                       Operations Service Center, Bureau of Indian Affairs\n                       [Issued: June 19981\n\n\nRecommendation 2. Develop and approve an Office of Information Resources Management\nstrategic plan that provides direction to and defines the functions of the Operations Service Center.\n\nStatus The Bureau will issue the task order for the strategic and tactical plans.\n-*\n\n          Revised Target Date:                09/30/99\n          Responsible Official:               Director, IRM\n\nRecommendation 3. Hold the Information Technology Security Manager accountable for performing\nthe position responsibilities\n\nStatus. The IT Security Manager will continue to be evaluated based upon his performance\nstandards and position description. In addition, the IRM is in the process of augmenting its IT\nsecurity staff.\n\nRecommendation 4. Periodically perform an evaluation of the system security program\xe2\x80\x99s\neffectiveness and include any resultant corrective actions in future Bureau security plans.\n\n\n\n\n                                                 23\n\x0c                                                                                          APPENDIX 3\n                                                                                          Page 7 of 7\n\n\nStatus The system security program will be periodically evaluated in accordance with the schedule\nestablished by the IT security plan and OMB Circular A-l 30. The first review will be completed\nand a periodic review schedule established by December 3 1, 1999.\n\n           Revised Target Date:                1213 1199\n           Responsible Official:               IT Security Manager\n\nRecommendation 5. Redetermine, based on the Office of Information Resources Management\xe2\x80\x99s\nstrategic plan, when the Bureau can begin performing risk assessments and classifying its resources.\nAlso personnel who will be responsible for the risk assessments and resource classifications should\nbe identified.\n\nSee\nStatus.\n     corrective action plan for Recommendation No. A.3\n\n          Revised Target Date:                12/31!99\n          Responsible Official:               IT Security Manager\n\nRecommendation 6. Obtain security clearances for ADP personnel who are not assigned to the\nCenter that are commensurate with their positions.\n\nStatus Personnel in sensitive and critical automated data processing positions have been identified.\nReview and updating of background investigations of individuals who have IT system access and\nfunctions has been extended to include contractor employees, from coast to coast (including, for\nexample contractor individuals in Washington, DC, and Portland, Oregon). The Bureau will continue\nto conduct and assure appropriate background investigations for individuals who enter the Bureau\xe2\x80\x99s\nwork force and those who transfer from one role or location to another within the workforce.\n\n          Revised Target Date:                1 or3 l/99\n          Responsible Official:               Bureau Security Officer\n\nRecommendation 7. Require Bureau staff to review and validate the appropriateness of users\xe2\x80\x99 levels\nof access to the Bureau\xe2\x80\x99s IBM applications. If the users\xe2\x80\x99 levels of access are not reviewed and\nvalidated by Bureau personnel, the Bureau should modify its agreement with the Geological Survey\nto include the requirements that access reviews and verifications should be performed for the IBM\napplications by the Geological Survey\n\nStatus The Bureau will finalize the agreement with the U.S. Geological Survey to review users\xe2\x80\x99\n-.\nlevel of access.\n\n          Revised Target Date:               09/30/99\n          Responsible Official:              Director, IRM\n\n\n\n\n                                                24\n\x0c                                                                 APPENDIX 4\n\n\n  STATUS OF CURRENT AUDIT REPORT RECOMMENDATION\n\n\nFinding/Recommendation\n        Reference                Status               Action Required\n\n           1             Resolved; not        No further response to the Office\n                         implemented          of Inspector General is required.\n                                              The recommendation will be\n                                              referred to the Assistant\n                                              Secretary for Policy,\n                                              Management and Budget for\n                                              tracking of implementation.\n\n\n\n\n                                         25\n\x0c                                                                      APPENDIX 5\n\n\n STATUS OF APRIL 1997 AUDIT REPORT RECOMMENDATIONS\n\n\nFinding/Recommendation\n        Reference                    Status               Action Required\n\n       H.l andI.             Implemented.         No further action is required.\n\nA.l, A.2, A.3, B.1, C.l,     Resolved; not        No further response to the Office\nD.l, D.2, El, G.l, and J.l   implemented.         of Inspector General is required.\n                                                  The recommendations and the\n                                                  revised corrective action plan\n                                                  will be forwarded to the\n                                                  Assistant Secretary for Policy,\n                                                  Management and Budget for\n                                                  tracking of implementation.\n\n\n\n\n                                             26\n\x0c                                                                  APPENDIX 6\n\n  STATUS OF JUNE 1998 AUDIT REPORT RECOMMENDATIONS\n\n\nFinding/Recommendation\n        Reference                 Status               Action Required\n\n    A.l, A.3, and A.8     Implemented.         No further action is required.\n\nA.2, A.4, A.5, A.6, and   Resolved; not        No further response to the Office\nA.7                       implemented.         of Inspector General is required.\n                                               The recommendations and the\n                                               revised corrective action plan\n                                               will be forwarded to the\n                                               Assistant Secretary for Policy,\n                                               Management and Budget for\n                                               tracking of implementation.\n\n\n\n\n                                          27\n\x0c                    ILLEGAL OR WASTEFUL ACTIVITIES\n                        SHOULD BE REPORTED TO\n                   THE OFFICE OF INSPECTOR GENERAL\n\n\n                                  Internet/E-Mail Address\n\n                                       www.oig.doi.gov\n\n\n                       Within the Continental United States\n\n U.S. Department of the Interior                         Our 24-hour\n Gff$x of Inspector General                              Telephone HOTLINE\n 1849 c Street, N.W.                                     l-800-424-508 1 or\n Mail Stop 5341                                          (202) 208-5300\n Washington, D.C. 20240\n                                                         TDD for hearing impaired\n                                                         (202) 208-2420 or\n                                                         l-800-354-0996\n\n\n                     Outside the Continental United States\n\n                                      Caribbean Region\n\nU.S. Department of the Interior                        (703) 235-922 1\noffice of Inspector General\nEastern Division - Investigations\n4040 Fairfax Drive\nSuite 303\nArlington, Virginia 22203\n\n                                    North Pacific Region\n\nU.S. Department of the Interior                       (671) 647-6060\noff& of Inspector General\nNorth Pacific Region\n415 Chalan SatI Antonio\nBaltej Pavilion, Suite 306\nTamming, Guam 96911\n\x0c                             _   _   _ .___ ____   \xe2\x80\x98.   A__   -a.*-_\n\n\n\n\nToll Free Numbers:\n l-800-424-5081          m\n TDD l-800-354-0996      5\n                         E\nFJXCommercial Numbers:\n (202) 208-5300\n                         E\n TDD (202) 208-2420      :\n\n HOTLINE i\n1849 C Street, N.W.\n\x0c'